I'm trying to set a CSP for our site, but it seems that the Forms Content Security Policy (CSP) > Organisation CSP Header can only accept a maximum of 1,000 characters. I expect this may be a TM database constraint, rather than a web/http header constraint.
We have a number of domains that we need to white list for things like analytics, web optimization and others, however the list exceeds 1,000 characters.
Is there a limit to the number of characters allowed in the CSP Header?
You have that config in TM: Forms/Organizations , select the organization to modify, tab Security: Forms Content Security Policy (CSP)
You can select override policy and add your constraints.
thanks for the comment.
I am familiar with the CSP settings, but I had a situation where I had to add more domains to the existing list. When I tried to add the extra domains not all the text was accepted in the field.
The list I had was greater than 1,000 characters, and the last few characters were truncated, so the CSP policy was not valid.
I did find a way to decrease the size of the domain list (by using sub domains wildcard), so that the text was less then 1,000 characters, and so I managed to get a valid policy loaded.
Hi Mark, sorry, my bad,I misunderstood the question.That's the best practice.
I found a way to more efficiently list some of the allowed domains.
To handle sub domains you can use wildcards, like *.goggle.com, instead of listing each sub domain explicitly.
But I'm still interested to know if there is a TM limit.
Hope that helps some one out there.
Good work Mark, thanks for sharing that.